Module security 

Available on crate feature signatures only.

Digital signatures, encryption, and security features.

This module provides cryptographic capabilities for Codex documents:

• Signatures: ECDSA (ES256, ES384), EdDSA (Ed25519), RSA-PSS (PS256), ML-DSA-65 (post-quantum), and WebAuthn/FIDO2 digital signatures
• Encryption: AES-256-GCM and ChaCha20-Poly1305 authenticated encryption
• Certificate Validation: X.509 certificate chain validation
• Revocation Checking: OCSP and CRL certificate revocation (feature: ocsp)
• Access Control: Permission management for document operations

Signing Documents (ECDSA)

use cdx_core::security::{EcdsaSigner, SignerInfo, Signer};

let signer_info = SignerInfo::new("Alice");
let (signer, public_key_pem) = EcdsaSigner::generate(signer_info)?;
let signature = signer.sign(&document_id)?;

Signing Documents (EdDSA)

use cdx_core::security::{EddsaSigner, SignerInfo, Signer};

let signer_info = SignerInfo::new("Alice");
let (signer, public_key_pem) = EddsaSigner::generate(signer_info)?;
let signature = signer.sign(&document_id)?;

Encrypting Data

use cdx_core::security::Aes256GcmEncryptor;

let key = Aes256GcmEncryptor::generate_key();
let encryptor = Aes256GcmEncryptor::new(&key)?;
let encrypted = encryptor.encrypt(b"secret data")?;
let decrypted = encryptor.decrypt(&encrypted.ciphertext, &encrypted.nonce)?;

Modules

eku

Common extended key usage OIDs.

Structs

AccessControl

Access control settings for a document.

Aes256GcmEncryptorencryption

AES-256-GCM encryptor.

Annotation

A core annotation.

AnnotationsFile

Core annotations file for security/annotations.json.

CertificateChain

A certificate chain for validation.

CertificateInfo

Information extracted from a certificate.

CertificateValidation

Result of certificate chain validation.

ChaCha20Poly1305Encryptorencryption-chacha

ChaCha20-Poly1305 encryptor.

EcdhEsKeyUnwrapperkey-wrapping

ECDH-ES+A256KW key unwrapper (recipient side).

EcdhEsKeyWrapperkey-wrapping

ECDH-ES+A256KW key wrapper (sender side).

EcdsaSigner

ECDSA P-256 signer (ES256).

EcdsaVerifier

ECDSA P-256 verifier (ES256).

EddsaSignereddsa

EdDSA (Ed25519) signer.

EddsaVerifiereddsa

EdDSA (Ed25519) verifier.

EncryptedDataencryption

Result of encryption operation.

EncryptionMetadataencryption

Encryption metadata stored in the document.

Es384Signersignatures-es384

ECDSA P-384 signer (ES384).

Es384Verifiersignatures-es384

ECDSA P-384 verifier (ES384).

KeyDerivationencryption

Key derivation function parameters.

MlDsaSignerml-dsa

ML-DSA-65 signer.

MlDsaVerifierml-dsa

ML-DSA-65 verifier.

Pbes2KeyUnwrapperkey-wrapping-pbes2

PBES2-HS256+A256KW key unwrapper (password-based).

Pbes2KeyWrapperkey-wrapping-pbes2

PBES2-HS256+A256KW key wrapper (password-based).

Pbes2WrappedKeyDatakey-wrapping-pbes2

Result of wrapping a content encryption key with PBES2.

PermissionGrant

A permission grant for a specific principal.

Permissions

Permission settings.

Ps256Signersignatures-rsa

RSA-PSS signer (PS256).

Ps256Verifiersignatures-rsa

RSA-PSS verifier (PS256).

Recipientencryption

Recipient information for multi-recipient encryption.

RevocationCheckerocsp

Certificate revocation checker.

RevocationConfigocsp

Configuration for revocation checking.

RevocationResultocsp

Result of a revocation check.

RsaOaepKeyUnwrapperkey-wrapping-rsa

RSA-OAEP-256 key unwrapper (recipient side).

RsaOaepKeyWrapperkey-wrapping-rsa

RSA-OAEP-256 key wrapper (sender side).

RsaWrappedKeyDatakey-wrapping-rsa

Result of wrapping a content encryption key with RSA-OAEP.

Signature

A digital signature.

SignatureFile

Signature file structure.

SignatureScope

Signature scope for scoped signatures.

SignatureVerification

Result of signature verification.

SignerInfo

Information about the signer.

TrustedTimestamp

RFC 3161 trusted timestamp token.

WebAuthnSignature

WebAuthn/FIDO2 signature data.

WebAuthnVerifierwebauthn

WebAuthn signature verifier.

WrappedKeyDatakey-wrapping

Result of wrapping a content encryption key.

Enums

AnnotationType

Annotation type for core annotations.

EncryptionAlgorithmencryption

Encryption algorithm enumeration.

KdfAlgorithmencryption

Key derivation algorithm.

KeyManagementAlgorithmencryption

Key management algorithm for key wrapping.

KeyUsage

Key usage flags for X.509 certificates.

Operation

Operations that can be controlled by permissions.

Principal

A security principal (user, group, or role).

RevocationMethodocsp

Method used for revocation checking.

RevocationReasonocsp

Reason for certificate revocation (RFC 5280).

RevocationStatusocsp

Revocation status of a certificate.

SignatureAlgorithm

Signature algorithm.

Traits

Signer

Trait for signing documents.

Verifier

Trait for verifying signatures.